With the GDPR (General Data Protection Regulation) changes looming, we have put together a summary of facts that you need to know.
Compliance deadline = 25th May 2018
The General Data Protection Regulation (GDPR) demands greater accountability and transparency from organisations in how they collect, process and store personal information. If you have a database of client data, whether that’s customers that buy your home-reared sausages, or guests that have stopped in your on-farm bed and breakfast, you need to know about GDPR.
The ability to prove compliance to these changes is critical, and a comprehensive and effective privacy compliance framework will develop evidence to support your claims of compliance. In short, ensure you detail the processes you go through to show that you are becoming compliant with the changes.
Summary of changes –
You need to get explicit permission from your EU email database to email them after the 25th of May 2018, once GDPR takes effect. The process of going to a list or email database to establish opt-ins is called ‘permission passing’. You will need to send a series of emails to your client database (aim for three between now and the deadline), charging them to opt in to receiving your mail going forwards. Studies from companies that have already undergone the process have shown that you will see a significant drop in the size of your database as a result of this; however it is crucial to remember that this new database is of a higher quality than your old one, it is made up of people that actually want to hear from you, and are far more likely to become repeat customers. A database of 100 interested people is more valuable to you than one of 5,000 people who just delete your emails when they come in.
Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). Furthermore, should your data be breached at any point, under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach.
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. If they ask for it, your must also provide any of your data subjects with a copy of their personal data, free of charge, in an electronic format.
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further use of the data, and potentially have third parties halt processing of the data. If someone asks to ‘unsubscribe’ from your emails, their data must be wiped from your records. Full stop.
A Data Protection Officer (DPO) must be appointed within each organisation, and their details provided to the local DPA. This is all part of being able to prove that you have undergone the correct processes.
If you need any help with making the most of the GDPR changes and to ensure you do it correctly, send us an email and our marketing executive would be happy to help.